Further Reading

The case against Auernheimer, who has often been in solitary confinement for obtaining and disclosing personal data of about 140,000 iPad owners from a publicly available AT&T website, was seen as a test case on how far the authorities could go under the Computer Fraud and Abuse Act (CFAA), the same law that federal prosecutors were invoking against Aaron Swartz.

But in the end, the Third US Circuit Court of Appeals didn't squarely address the controversial fraud law and instead said Auernheimer was charged in the wrong federal court.

"Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue," the appeals court wrote. "The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence" (PDF).

Auernheimer was accused of passing along the e-mail addresses to Gawker, which thereafter published the information in redacted form in 2010. Auernheimer was convicted in a New Jersey federal court of a felony under the CFAA for conspiracy to access AT&T's servers against the company's will.

His attorneys argued all along that in order for the CFAA to have applied in this case, there needed to be some sort of "password-gate" or other way of keeping someone out of the AT&T website, which was not present here. They maintained that Auernheimer did not hack into servers or steal passwords. Rather, a major network security flaw at AT&T was discovered and exploited.

A three-judge federal appellate panel, however, for the most part sidestepped ruling on the merits of the hacking allegations and instead focused on where the case was tried.

The government argued that the New Jersey court was a proper venue for the case because 4,500 e-mail addresses were obtained from residents there. The authorities claimed that even if the venue was improper, is should be disregarded because it did "not affect substantial rights."

The court disagreed and suggested that Auernheimer's home state of Arkansas, where the alleged illegal activity took place, was the proper location for trial:

Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey. Certainly if he had directed his criminal activity toward New Jersey to the extent that either he or his co-conspirator committed an act in furtherance of their conspiracy there, or performed one of the essential conduct elements of the charged offenses there, he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened. While we are not prepared today to hold that an error of venue never could be harmless, we do not need to because the improper venue here—far from where he performed any of his allegedly criminal acts—denied Auernheimer's substantial right to be tried in the place where his alleged crime was committed.

Co-defendant Daniel Spitler discovered a security vulnerability in the website used to register iPad users who signed up for AT&T's 3G service. A script on AT&T's servers would accept an iPad's ICC-ID—a unique identifier embedded in the device's microSIM card—and return that user's e-mail address. Spitler figured out that ICC-IDs come in a predictable range, allowing him to enumerate the tens of thousands of them and obtain the corresponding e-mail addresses. Auernheimer was accused of providing Spitler with advice and encouragement over IRC, and later disclosed the information Spitler obtained to the media. In the view of federal prosecutors, Spitler's actions constituted a violation of the Computer Fraud and Abuse Act, and Auernheimer faced conspiracy charges for allegedly assisting Spitler.

The defendant's attorney, Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, said in an e-mail that a "retrial is barred by double jeopardy."

If the authorities do seek a second trial, he said, "we will raise precisely that."

He applauded the appellate court's decision, saying the government's position presented "a risk that defendants could be hailed anywhere in the country to face a criminal trial. This decision will hopefully put some limits on that practice and make sure important constitutional limitations on venue survive in the Internet age."

David Kravets
The senior editor for Ars Technica. Founder of TYDN fake news site. Technologist. Political scientist. Humorist. Dad of two boys. Been doing journalism for so long I remember manual typewriters with real paper. Emaildavid.kravets@arstechnica.com//Twitter@dmkravets

107 Reader Comments

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

If by "marked PRIVATE DATA" you mean, "contains PII but is in no way identified as non-public information other than not sitting in the 'brochures' handout tray"

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

This.

Our courts are here to judge both the act and the intent when an act that could be considered criminal occurs. The first trial failed Auernheimer and simply was retribution for having thrown egg on AT&T's face.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

You beat me to the depressing procedural comment. But I kind of disagree with your analogy. In your example the last action would not have been Weev saying you have a real problem here. It would be Weev copying the binder and finding the nearest reporter to publish the data in the binder with headline "Stupid business leaves binder of private data laying around showroom" But I do agree that this doesn't make him a criminal.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

Right, but he was not acting as a whitehat. There is very clear legal precedent that shows that if you discover a security vulnerability on an organization's website, you alert them to it quietly using the appropriate channels. What you don't do is publicize the vulnerability to "teach them a lesson" as weev did, because doing so makes it possible for malicious parties to then exploit it.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

So what about HeartBleed? Data sitting there publicly accessible, simple to access just because nobody realized there was a hole. It exposes data that *should* be private, but because of someone's mistake was left open for anyone to see. Sounds very similar to me. What do we do about the ars forum guys who immediately started posting as other people because the private data was *that* wide open? It doesn't seem like cases should be decided simply on how accessible the data is.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

Right, but he was not acting as a whitehat. There is very clear legal precedent that shows that if you discover a security vulnerability on an organization's website, you alert them to it quietly using the appropriate channels. What you don't do is publicize the vulnerability to "teach them a lesson" as weev did, because doing so makes it possible for malicious parties to then exploit it.

I'm not aware of any legal precedent about disclosure of security flaws. The issue regarding weev is that he actually used it and gave the data to another party.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

So what about HeartBleed? Data sitting there publicly accessible, simple to access just because nobody realized there was a hole. It exposes data that *should* be private, but because of someone's mistake was left open for anyone to see. Sounds very similar to me. What do we do about the ars forum guys who immediately started posting as other people because the private data was *that* wide open? It doesn't seem like cases should be decided simply on how accessible the data is.

Except in the case of HeartBleed, it is private, not "should be" private - they are accessing encrypted, hidden data by probing memory. A security hole and "no security" are not the same thing.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

You have a good point, but at the same time if you picked up that binder, removed it from the premises, and then handed it over to a third party such as a reporter, you would likely face charges of theft.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

No, this was still a good decision, even if it's not the one we were hoping for. If it was physical data, as with your binder, you should have been tried where the crime occurred. If it were physical data from a binder, I would think it would immediately be a bigger issue if the trial happened in the wrong jurisdiction. It also seems like this would have a lot of effect on patent trolls, since they're always suing in East Texas.

Edit: or maybe not, since civil litigation (that's what patents are, right?) is different from criminal. IINAL, obviously--does anyone else know if this will affect things in a good way?

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

No, this was still a good decision, even if it's not the one we were hoping for. If it was physical data, as with your binder, you should have been tried where the crime occurred. If it were physical data from a binder, I would think it would immediately be a bigger issue if the trial happened in the wrong jurisdiction. It also seems like this would have a lot of effect on patent trolls, since they're always suing in East Texas.

Edit: or maybe not, since civil litigation (that's what patents are, right?) is different from criminal. IINAL, obviously--does anyone else know if this will affect things in a good way?

Patent trolls set up empty offices in East Texas in order to have a physical presence there. They aren't playing super complicated games.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

No, this was still a good decision, even if it's not the one we were hoping for. If it was physical data, as with your binder, you should have been tried where the crime occurred. If it were physical data from a binder, I would think it would immediately be a bigger issue if the trial happened in the wrong jurisdiction. It also seems like this would have a lot of effect on patent trolls, since they're always suing in East Texas.

Edit: or maybe not, since civil litigation (that's what patents are, right?) is different from criminal. IINAL, obviously--does anyone else know if this will affect things in a good way?

This is why the successful trolls rent a "branch office" in an East Texas building before they file. This gives them a legal presence in E. Texas that they can use as the basis for filing "locally".

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

Depressing, sure, but structurally and intentionally so. As has been stated before: The. Law. Moves. Slowly. Part of that slow movement: basing decisions on the simplest and most efficient grounds, leaving issues that don't technically need addressing in the case as untouched.

A court is supposed to address questions of process first, because Due Process matters. If the process question solves the practical injustice in a case before reaching the substantive merits, then the best practice is to limit the decision to the process question. In such cases, anything else relating to the substantive merits is dicta, and even if a "good" result is expounded in that dicta, it is vulnerable to some attorney or judge down the road arguing, "that decision was baseless because that court went beyond their proper scope, so that result should be thrown out or at least inapplicable moving forward". If you want a solid policy decision to emerge from a court decision, then all of the other issues have to be cleanly dealt with.

Of course, this can create the perception (sometimes justifiably) that the court is just punting the substantive issue, avoiding making a decision that the Government will feel obligated to appeal further. Does the Third Circuit want to tell all of the AUSAs across the country (or at least in PA, NJ, DE, & VI) that they can't use this legal theory for criminal prosecution? No court really wants to make such a sweeping statement (except for the Supreme Court, which is by definition different, and does effectively albeit uncomfortably serve a legislative role when forced to).

But what broad underlying statement does the Third Circuit make in this decision? On its face, "Venue matters, so this should have been brought in CA, AK, or somewhere the plaintiffs and/or defendants actually resided." But the subtext I perceive (admittedly speculative) is, "None of the AUSAs in CA or AK brought this case, and the AUSA in NJ worked hard to apply NJ state laws, which we all know are tweaked to give prosecutors extra tools to deal with mobsters and racketeering. Those NJ state laws may have been misapplied/abused in this case, so venue matters, and thus improper venue is a valid reason to vacate the conviction."

So the Third Circuit gets to: (1) make a decision without stepping on the toes of the Government's use of 18 USC 1030, (2) tell off the NJ AUSA and shake their head at the absurd "wrong venue is harmless error" argument, (3) issue a decision on solid ground to resist an appeal, and (4) let the fellow unjustly imprisoned out of jail. Sounds like a win for them, oh, and some justice was served.

(edit: typo & remembered the Virgin Islands are also part of the Third Circuit)

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

No, this was still a good decision, even if it's not the one we were hoping for. If it was physical data, as with your binder, you should have been tried where the crime occurred. If it were physical data from a binder, I would think it would immediately be a bigger issue if the trial happened in the wrong jurisdiction. It also seems like this would have a lot of effect on patent trolls, since they're always suing in East Texas.

Edit: or maybe not, since civil litigation (that's what patents are, right?) is different from criminal. IINAL, obviously--does anyone else know if this will affect things in a good way?

This is why the successful trolls rent a "branch office" in an East Texas building before they file. This gives them a legal presence in E. Texas that they can use as the basis for filing "locally".

That this is true in no way impacts the fact that it's basically complete bull shit that this type of gaming of the system is not only legal, but works the way it does. I'm not saying patent suits should necessarily need to be changed to having the venue be determined by the defendant (there are issues with THAT for truly legitimate--in both spirit and letter--patent/copyright/etc claims), but "shadow" branch offices should not be adequate for a claim of venue when they aren't the location where most business is actually transacted, and where principal stake holders are located (in the case of true trolls who do no actual business).

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

Depressing, sure, but structurally and intentionally so. As has been stated before: The. Law. Moves. Slowly. Part of that slow movement: basing decisions on the simplest and most efficient grounds, leaving issues that don't technically need addressing in the case as untouched.

A court is supposed to address questions of process first, because Due Process matters. If the process question solves the practical injustice in a case before reaching the substantive merits, then the best practice is to limit the decision to the process question. . . .

Can they recharge him in the proper jurisdiction or does double jeopardy attach.

They can re-charge him. The ruling only vacates (nullifies) the original judgment against him, it isn't a ruling "on the merits" as to whether he is guilty or innocent of the charges.

I'm not entirely sure if Double Jeopardy applies; there might be CA or AK state laws that prevent re-charging Auernheimer. But even assuming they can re-charge him, "they" are the AUSAs in locations with proper venue, and those AUSAs have to want to bring such charges.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

You have a good point, but at the same time if you picked up that binder, removed it from the premises, and then handed it over to a third party such as a reporter, you would likely face charges of theft.

Copied, not removed. There's a difference.

Well going back to the CFAA, It is the equivalent of the "PRIVATE DATA" marking that is the main issue. If he was aware he was accessing data he wasn't authorized to access, then he likely broke the law. I agree that the law is vague and needs to be more clearly defined, but he accessed and copied what he realized was private user data. He then turned that data over to a third party which published it.

He went beyond accidental access though a security hole. He exploited a security hole to acquire a copy of confidential information.

I think the law needs an exception for when no harm was intended so that White Hats can find bugs, but not for idiots who choose to release people's private data to embarrass the company and gain some kind of hacker cred.

I believe it does. I seem to recall that as soon as a plea is entered, jeopardy attaches, triggering the Fifth Amendment double jeopardy protections . I'm on my phone ATM, so I'm not going to look it all up, but I'm pretty sure this would end prosecution of the guy.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

So what about HeartBleed? Data sitting there publicly accessible, simple to access just because nobody realized there was a hole. It exposes data that *should* be private, but because of someone's mistake was left open for anyone to see. Sounds very similar to me. What do we do about the ars forum guys who immediately started posting as other people because the private data was *that* wide open? It doesn't seem like cases should be decided simply on how accessible the data is.

Except in the case of HeartBleed, it is private, not "should be" private - they are accessing encrypted, hidden data by probing memory. A security hole and "no security" are not the same thing.

Well, it obviously *wasn't* private if the server was sending out arbitrary memory in its payload just by asking for it in the right way.

Where's the distinction? If I forget to put an htaccess on a directory, or close a firewall port and leak private data, how is that different from leaking private data through a code mistake?

While I agree with the ruling from a legal point of view, the outcome sucks. Weev has been drug halfway across the country to be tried in the wrong juridiction, held in solitary confinement for years, and now after more than 3 years the "good news" is that he gets to start the whole process over from square one.

Regardless of what the final interpretation of the CFAA ends up being, the amount of punishment that he will receive before that final ruling even happens will be wildly disproportionate to the harm he caused.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

Right, but he was not acting as a whitehat. There is very clear legal precedent that shows that if you discover a security vulnerability on an organization's website, you alert them to it quietly using the appropriate channels. What you don't do is publicize the vulnerability to "teach them a lesson" as weev did, because doing so makes it possible for malicious parties to then exploit it.

I'm not aware of any legal precedent about disclosure of security flaws. The issue regarding weev is that he actually used it and gave the data to another party.

After he told AT&T and they did nothing to fix it.

Edit: Oh really, a downvote? From the updated story:

Quote:

A day before his sentencing, Auernheimer commented on Reddit last year that his only "regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won't nearly be as nice next time."

I don't know what's sadder ... that companies are too busy finding scapegoats to reactively blame their stupidity on instead of proactively preventing it in the first place ... or our legal system spending tons of time dicking around over which jurisdiction this should cover, what law, etc, etc.

I think what really stinks about this is that if the plaintiff wins they are essentially being rewarded for shitty IT behaviour.

Leave your shit unsecure. Dude finds it. Does something with it. Take him to court, sue him, get a pay day.

Wut? And we wonder why we've become a culture of victimization, it's because being victimized (or just playing one) is profitable.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

So what about HeartBleed? Data sitting there publicly accessible, simple to access just because nobody realized there was a hole. It exposes data that *should* be private, but because of someone's mistake was left open for anyone to see. Sounds very similar to me. What do we do about the ars forum guys who immediately started posting as other people because the private data was *that* wide open? It doesn't seem like cases should be decided simply on how accessible the data is.

Except in the case of HeartBleed, it is private, not "should be" private - they are accessing encrypted, hidden data by probing memory. A security hole and "no security" are not the same thing.

Where's the distinction? If I forget to put an htaccess on a directory, or close a firewall port and leak private data, how is that different from leaking private data through a code mistake?

If you don't understand the distinction inherently, I am pretty sure there is literally no way to explain it to you. Maybe with an excess amount of charts and people with a lot more patience than me.

Simple version: Putting data in a safe you left the default combination on is still security. Pictures posted in your house visible through a window is not security.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

So what about HeartBleed? Data sitting there publicly accessible, simple to access just because nobody realized there was a hole. It exposes data that *should* be private, but because of someone's mistake was left open for anyone to see. Sounds very similar to me. What do we do about the ars forum guys who immediately started posting as other people because the private data was *that* wide open? It doesn't seem like cases should be decided simply on how accessible the data is.

Except in the case of HeartBleed, it is private, not "should be" private - they are accessing encrypted, hidden data by probing memory. A security hole and "no security" are not the same thing.

Where's the distinction? If I forget to put an htaccess on a directory, or close a firewall port and leak private data, how is that different from leaking private data through a code mistake?

If you don't understand the distinction inherently, I am pretty sure there is literally no way to explain it to you. Maybe with an excess amount of charts and people with a lot more patience than me.

Simple version: Getting through a locked door with a key you found under a mat is still security. Pictures posted in your house visible through a window is not security.

That's about as effective as admitting there is no distinction. You seem to be under the illusion that servers weren't just readily throwing up private data if you asked for it. To me HeartBleed is about the same as keeping something private through using an obscure URL, if you know how to ask for it, the server will give it to you.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

So what about HeartBleed? Data sitting there publicly accessible, simple to access just because nobody realized there was a hole. It exposes data that *should* be private, but because of someone's mistake was left open for anyone to see. Sounds very similar to me. What do we do about the ars forum guys who immediately started posting as other people because the private data was *that* wide open? It doesn't seem like cases should be decided simply on how accessible the data is.

Except in the case of HeartBleed, it is private, not "should be" private - they are accessing encrypted, hidden data by probing memory. A security hole and "no security" are not the same thing.

Where's the distinction? If I forget to put an htaccess on a directory, or close a firewall port and leak private data, how is that different from leaking private data through a code mistake?

If you don't understand the distinction inherently, I am pretty sure there is literally no way to explain it to you. Maybe with an excess amount of charts and people with a lot more patience than me.

Simple version: Getting through a locked door with a key you found under a mat is still security. Pictures posted in your house visible through a window is not security.

This is depressing. Not that they let weev out, but because the finding is strictly procedural. Weev, by all acounts, is an obnoxious dick, but the culture of punishing people with a ludicrous statute for executing what amounts to a public search absolutely *needs* to be decriminalized.

If I break into your store, pick up your customer records from a locked safe behind the counter, and then hand them to your competitors (or sell them to the black market) then sure, I'm committing a crime. If I walk into your showroom, examine the huge binder in the middle of the floor, unguarded, marked PRIVATE DATA, and then say: "Hey guys, you've got a serious problem here," that's not the same thing.

I'm sorry AT&T did something stupid and was embarrassed to have it called out. That doesn't make weev a criminal.

You have a good point, but at the same time if you picked up that binder, removed it from the premises, and then handed it over to a third party such as a reporter, you would likely face charges of theft.

Copied, not removed. There's a difference.

Well going back to the CFAA, It is the equivalent of the "PRIVATE DATA" marking that is the main issue. If he was aware he was accessing data he wasn't authorized to access, then he likely broke the law. I agree that the law is vague and needs to be more clearly defined, but he accessed and copied what he realized was private user data. He then turned that data over to a third party which published it.

He went beyond accidental access though a security hole. He exploited a security hole to acquire a copy of confidential information.

I think the law needs an exception for when no harm was intended so that White Hats can find bugs, but not for idiots who choose to release people's private data to embarrass the company and gain some kind of hacker cred.

The problem is the confusion of the term "hacking", which has kind of been at the core of many of the cases involving CFAA that are currently under review.

The thing under contention isn't whether what he did was good or bad. The point under contention is whether happening to discover that, say, arstechnica.com/userinformation.php gives unsecured access to all user details is actually "hacking", under the CFAA.

Even if you believe he's guilty of a crime, it's important to recognize that he should actually be charged under the right law because of the way precident works. Would you want to be charged with hacking because some day you try to log into a site, enter the wrong password, but it somehow registers as an administrator's instead? Or because a friend linked you a URL over Twitter that turns out to be a list of user details that your ISP left unsecured? Because that's the kind of results we're looking at if some of these CFAA convictions stand.

I'm not aware of any legal precedent about disclosure of security flaws. The issue regarding weev is that he actually used it and gave the data to another party.

After he told AT&T and they did nothing to fix it.

Speaking of which: I may have missed this in a previous article on the topic, but do we know if AT&T ever got around to fixing the bug? I think it would be quite amusing if the first thing weev did after getting out is demonstrate that the bug's still there and still sitting wide open...

I mean, it would be outright stupid for him to do such a thing, after all of this... but amusing, none-the-less.

So what about HeartBleed? Data sitting there publicly accessible, simple to access just because nobody realized there was a hole. It exposes data that *should* be private, but because of someone's mistake was left open for anyone to see. Sounds very similar to me. What do we do about the ars forum guys who immediately started posting as other people because the private data was *that* wide open? It doesn't seem like cases should be decided simply on how accessible the data is.

Except in the case of HeartBleed, it is private, not "should be" private - they are accessing encrypted, hidden data by probing memory. A security hole and "no security" are not the same thing.

Where's the distinction? If I forget to put an htaccess on a directory, or close a firewall port and leak private data, how is that different from leaking private data through a code mistake?

If you don't understand the distinction inherently, I am pretty sure there is literally no way to explain it to you. Maybe with an excess amount of charts and people with a lot more patience than me.

Simple version: Getting through a locked door with a key you found under a mat is still security. Pictures posted in your house visible through a window is not security.

That's about as effective as admitting there is no distinction.

No. What I'm saying is way more insulting than that.

Its not insulting to admit that your distinction is an arbitrary illusion.